[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange 2007 Secure POP,IMAP Certificate Warning

Posted on 2009-02-12
6
Medium Priority
?
738 Views
Last Modified: 2012-05-06
I am preparing to switch to Exchange 2007 CAS servers.  I am required to allow secure POP and IMAP into the environment.  I have GoDaddy UCC certificates with the proper names, the CN of each certificate is the FQDN of the server that it is installed on (I have been under the impression that this is the proper way to do the UCC certificates).  Outlook Anywhere and OWA seem to be working fine, but when I access IMAP or POP I get a certificate warning saying the name doesn't match.  The  name it sees on the cert is the common name, but I am using mail.mydomain.com to access.  I cannot change the common name of my certs now that I have bought them to mail.mydomain.com, but I didn't think I should have to.  Does anyone know how I can fix this issue?  I am assuming the outlook client can only see the common name on the Certificate?  I tried doing a new CSR and just moving the mail.mydomain.com to the first name under domains, but it doesn't seem to matter how you order them.  Any help would be greatly appreciated.
0
Comment
Question by:traviskrings
  • 3
  • 3
6 Comments
 
LVL 65

Accepted Solution

by:
Mestha earned 2000 total points
ID: 23625365
I would have set the common name to your preferred name of mail.example.com, not the server's real name. The simple rule I use is that the common name should be the name that most people will be using. Outlook Anywhere can have problems with using a different name than the common name - particularly with Outlook 2003.

Thus - it isn't the order of the additional names, but it is the common name you need to change.

The names I suggest is what I have in my blog: http://www.sembee.co.uk/archive/2008/05/30/78.aspx

You need to remember that POP3/IMAP are very old protocols, not used to the additional names in an SSL certificate, which is a fairly new thing.

-M
0
 

Author Comment

by:traviskrings
ID: 23625873
Yeah I figured that was the answer I would get, but I was hoping I might get lucky and someone would  have another way.  I have my UCC certificates with GoDaddy, and I don't know if they will let me change the CN on them after I have already purchased them.  I am on the phone with them to see if they can help me with that.

Hopefully I don't have any Outlook anywhere problems because right now it is set up to use a different name than the mail.domain.com.  When it was originally set up long before me it was done with outlook.domain.com.  Hopefully I do not run into any issues with that.  What kind of issues have  you experience with the Outlook Anywhere name not being the CN?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23626082
Outlook 2003 simply doesn't connect if the common name is not the same name that is put in the mutual authentication box. That is the main problem with it. Outlook 2007 seems a little more tolerant.

-M
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:traviskrings
ID: 23627231
GoDaddy initially told me I could order 4 certificates with the Same CN for each of my servers, but that was not correct.  I had to switch to 1 certificate with more SAN names and cover everything with 1.  I am waiting for verification so I can download and install.  After installing I will verify that my POP and IMAP work after changing the CN to mail.domain.com.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23627528
Sounds like there is still some confusion with the SSL certificate requirements for Exchange 2007. I had at one point a major certificate supplier pointing people to my blog posting regarding certificates, which simply astounded me!

-M
0
 

Author Closing Comment

by:traviskrings
ID: 31546179
I redid the certificate with mail.ciber.com as the CN and all Subject Alternative names under one certificate for all 4 servers.  This has done the trick for the warning with secure POP and IMAP.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month18 days, 10 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question